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Method for protectedly debiting an electronic payment means. 

BACKGROUND OF THE INVENTION 

The invention relates to a method for debiting an electronic 
payment means, such as an electronic payment card provided with an 
integrated circuit ("chip card"). In particular, though not 
5 exclusively, the invention relates to a method for protectedly 

debiting prepaid electronic payment cards ("prepaid cards") as these 
are applied, e.g., for telephone booths. In the present text, the term 
payment means will be used irrespective of the form or the type of the 
specific payment means. A payment means may therefore be formed by, 
10 e.g., a chargeable payment card or a non- card- shaped electronic 
payment means . 

In recent years, electronic payment means are being applied ever 
more frequently, not only for paying for the use of public telephone 
sets , but also for many other payment purposes . Since such a payment 

15 means generally comprises a (credit) balance which represents a 

monetary value, it is necessary to have the exchange of data between 
such a payment means and a payment station (such as a telephone set 
designed for electronic payment or an electronic cash register) run 
according to a protected method (payment protocol). Here, it should be 

20 ensured, e.g. , that an amount (monetary value or number of calculation 
units) debited to the payment means correspond to an amount (monetary 
value or calculation units) credited elsewhere: the amount paid by a 
customer should correspond to the amount to be received by a supplier. 
The credited amount may be stored, e.g., in a protected module present 

25 in the payment station. 

Prior Art payment methods, as disclosed in e.g. European Patent 
Application EP 0,637,004, comprise: a first step, in which the balance 
of the payment means is retrieved by the payment station; a second 
step, in which the balance of the payment means is lowered (debiting 

30 the payment means); and a third step, in which the balance of the 
payment means is retrieved again. From the difference between the 
balances of the first and third steps the debited amount, and 
therewith the amount to be credited in the payment station, may be 
determined. The second step may be repeated several times, possibly in 

35 combination with the third step. 

In order to prevent fraud, in the event of such a method the 
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first step makes use of a random number which is generated by the 
payment station and transferred to the payment means, e.g., as part of 
a code with which the balance is retrieved. On the basis of said 
random number, the payment means as a first response generates an 
5 authentication code which may comprise an (e.g., cryptographic) 

processed form of, inter alia, the random number and the balance. By 
using a different random number for each transaction, it is prevented 
that a transaction may be imitated through replay. In addition, in the 
third step use is made of a second random number, which is also 

10 generated by the payment station and transferred to the payment means. 
On the basis of the second random number , the payment means as a 
second response generates a second, new authentication code which may 
comprise a processed form of, inter alia, the second random number and 
the new balance. On the basis of the difference of the two balances 

15 transferred, the payment station (or a protected module of the pavment 
station, as the case may be) may determine with which amount the 
balance of the payment station should be credited. 

Said known method is basically very resistant to fraud as long 
as a payment means communicates with one payment station (or protected 

20 module) , The drawback of the known method, however, lies in the fact 
that the first and second authentication codes are independent. If a 
second or third payment station (or protected module) communicates 
with the payment means, it is possible, due to said independence, to 
separate the first step from the second and third steps. As a result, 

25 an apparently complete transaction may be achieved without the payment 
means in question being debited by the same amount as the amount by 
which the payment stations (or protected modules) in their entirety 
are credited. It will be understood that such is undesirable. 

US Patent US 5,495,098 and corresponding European Patent 

30 Application EP 0,621,570 disclose a method in which the identity of 
the security module of the payment station is used to ensure that a 
data exchange takes place between the card and one terminal only. The 
protection of the data exchange between the security module, the 
station and the card is relatively complicated and requires extensive 

35 cryptographic calculations . 

Other Prior Art methods are disclosed in e.g. European Patent 
Applications EP 0,223,213 and EP 0,570,924, but these documents do not 
offer a solution to the above-mentioned problems. 
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SUMMARY THE INVENTION 

It is an object of the invention to eliminate the above and 
other drawbacks of the Prior Art, and to provide a method which offers 
an even greater degree of protection of debiting transactions. In 
5 particular, it is an object of the invention to provide a method which 
ensures that during a transaction there only takes place communication 
between the payment means and one payment station or protected module. 
More in particular, it is an object of the invention to provide a 
method which ensures that the amount by which the balance of a payment 
10 means is lowered during a transaction, corresponds to the amount by 
which the balance of only one payment station or protected module is 
increased . 

Accordingly, the present invention provides a method of 
performing a transaction using payment means and a payment station, 
15 the method comprising the repeated execution of an interrogation step 
in which the payment station interrogates the payment means and 
receives payment means data in response, the payment means data 
comprising an authentication code produced by a predetermined process, 
a subsequent authentication code being linked to a preceding 
20 authentication code of the same transaction by an authentication value 
produced in both the payment means and the payment station. By linking 
the authentication codes by authentication values, it is possible to 
distinguish authentication codes of the initial transaction from 
authentication codes of an interfering transaction. Preferably, the 
25 authentication value is altered in each interrogation step, thus 
providing an improved security. 

More specifically, the present invention provides a method of 
protectedly debiting an electronic payment means using a payment 
station, the method comprising: 
30 - a first step, in which: 

the payment station transfers a first random number to the 
payment means , 

the payment means, in response to said first random number, 
transfers a first authentication code to the payment station, 
35 which first authentication code is determined on the basis of at 

least the first random number and a first authentication value, 
and 
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the payment station checks the first authentication code; 

- an optional second step, in which: 

the payment station transfers a debiting command to the payment 
means and the balance of the payment means is lowered on the 
basis of the debiting command; and 

- a third step, in which: 

the payment station transfers a second random number to the 
payment means , 

the payment means, in response to said second random number, 
transfers a second authentication code to the payment station, 
with the second authentication code being determined on the 
basis of at least the second random number and a second 
authentication value, the second authentication value being 
derived from the first authentication value, and 

the payment station derives the second authentication value from 

the first authentication value and checks the second 

authentication code. 
By forming the authentication codes on the basis of, inter alia, 
mutually related authentication values, there is offered the 
possibility to check whether the second authentication code (in the 
third step) is related to the first authentication code (in the first 
step) . By now generating a new authentication value each time an 
authentication code must be determined, there is offered the 
possibility of distinguishing consecutive authentication codes, and 
th erewith to distinguish authentication codes associated with 
different transactions. If, each time the first or third step is 
carried out, there is generated a unique authentication value, it may 
be unequivocally determined which second authentication code is 
related to which first one. Therewith it may also be determined 
whether, within a transaction, a second authentication code has 
already been issued. 

The authentication values are basically autonomously generated 
by the payment means. There preferably is not possible any influencing 
from outside, such in order to prevent fraud. The authentication 
values may be generated in various ways, e.g., by a random generator 
or by a counter. 

The first and second authentication values of a transaction may 
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10 



be related by them having, e.g., the same value, or by them having 
mutually dependent values, such as consecutive values of a counter. 
Also the first authentication value may be a random number, and the 
second authentication value may be formed from the first one by adding 
a certain number thereto. Basically, each pair of authentication 
values should be related in such a manner that this is capable of 
being unequivocally checked. 

It is a further object of the invention to provide an electronic 
payment means and a payment station in which the method is applied. 



RBTFF DESCRIPTION OF TH E DRAWINGS 

The invention will be explained in greater detail below by 
reference to the Figures. 

Fig. 1 schematically shows a payment system in which the inven- 

15 tion may be applied. 

Fig. 2 schematically shows a method in which the invention is 

applied . 

Fig. 3 schematically shows the producing of an authentication 
code as used in the method of Fig. 2. 
20 Fig . 4 schematically shows the integrated circuit of a payment 

means with which the invention may be applied. 

DESCRIPTION OF PREFERRED EMBODIMENTS 

The system 10 for electronic payment schematically shown in Fig. 
25 1, by way of example comprises an electronic payment means, such as a 
so-called chip card or smart card 11, a payment station 12, a first 
payment institution 13, and a second payment institution 16. The 
payment station (terminal) 12 is shown in Fig. 1 as a cash register, 
but may also comprise, e.g., a (public) telephone set. The payment 
30 institutions 13 and 14, both denoted as bank in Fig. 1, may not only 
be banks but also further institutions having at their disposal means 
(computers) for settling payments. In practice, the payment institu- 
tions 13 and Ih may form one payment institution. In the example 
shown, the payment means 11 comprises a substrate and an integrated 
35 circuit having contacts 15, which circuit is designed for processing 
(payment) transactions. The payment means may also comprise an elec- 
tronic wallet. 
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Between the payment means 11 and the payment station 12 there 
takes place, during a transaction, an exchange of payment data PD1 . 
The payment means 11 is associated with the payment institution 13, 
while the payment station 12 is associated with the payment 
5 institution 14. Between the payment institutions 13 and 14 there takes 
place, after a transaction, a settlement by exchanging payment data 
PD2 , which is derived from the payment data PD1 . During a transaction 
there basically does not take place communication between the payment 
station 12 and the payment institution 14 in question (so-called off- 

10 line system) . Transactions must therefore occur under controlled 

conditions to ensure that there can take place no abuse of the system- 
Such an abuse may be, e.g., increasing a balance of the payment means 
11 which is not matched by a balance change of a counterpart account 
at the payment institution 13. 

15 The diagram of Fig. 2 shows the exchange of data between (the 

integrated circuit of) a payment means denoted as "Card" (11 in Fig. 
1) and (the protected module of) a payment station denoted as 
"Terminal" (12 in Fig. 1), with consecutive occurrences being shown 
one below the other. 

20 In the first step, denoted by I, the terminal (payment station) 

produces a first random number Rl and transfers this number to the 
card (payment means) (substep la). In practice, the random number Rl 
may be part of a code for retrieving an authentication code. According 
to the invention, the card and the terminal produce a first 

25 authentication value Al , e.g., by increasing a counter, activating a 
random number generator, or both. On the basis of the random number 
Rl , the first authentication value Al and other data, including the 
balance SI of the payment means , the card produces an authentication 
code MAC1 = F(R1, Al , SI, .-.), where F may be a cryptographic 

30 function known per se (substep lb). The card data SI and Al as well as 
the authentication code MAC1 are transferred to the terminal (substep 
Ic) . The terminal checks the authentication code on the basis of, 
inter alia, Rl , SI and Al and, in the event of a positive check 
result, records the balance SI. 

35 It should be noted that the transfer of the value Al to the 

terminal is not essential to the present invention but serves to 
provide additional protection against fraud. 
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In the second step, denoted by II, the terminal produces a 
debiting command D, which comprises the amount (quantity) to be 
debited to the payment means . The debiting command D is transferred to 
the card, whereafter the balance SI of the payment means is lowered by 
the quantity to be debited to S2. The second step may possibly be 
repeated several times. 

In the third step, denoted by III, the terminal produces a 
second random number R2 and transfers this to the card (substep Ilia). 
The card generates a second authentication value A2 . On the basis of 
the second random number R2 , the second authentication value A2 and 
other data, including the new card balance S2 , the card produces an 
authentication code MAC 2 = F(R2 , S2 , ...), where F may be a 
cryptographic function known per se (substep Illb) . The card balance 
S2 and the authentication value A2 as well as the authentication code 
MAC1 are transferred to the terminal (substep IIIc). The third step 
may thus run fully analogously to the first step. 

The terminal checks the second authentication code MAC 2 
received, e.g., by reproducing the authentication code and comparing 
the random number R2 . The terminal also checks whether the received 
second authentication value A2 is equal to the corresponding value 
produced in the terminal. If the authentication values A2 are not 
equal, the transaction is terminated and the balance of the terminal 
is therefore not modified. 

If the check of the authentication code MAC 2 has a positive 
result, the terminal records the balance S2. Instead of reproducing 
the authentication codes MAC1 and MAC2 , a deciphering may take place, 
e.g., by carrying out the inverse of the function F. 

In a fourth step, denoted by IV , the difference of the balances 
SI and S2 may be determined and recorded in the terminal. In this 
connection, such difference may either be stored separately or be 
added to an existing value (balance of the terminal) to be settled 
later. Said fourth step, just as possible following steps, is not 
essential for the invention. The steps shown in Fig. 2 may be preceded 
by an authentication or verification step; such, however, is not 
essential for the present invention either. 

In the diagram, which has been discussed above, the random 
numbers Rl and R2 are different. The random numbers Rl and R2 may be 
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identical (Rl - R2 - R) , however, so that in step III it may also be 
checked whether in the authentication code MAC2 use is still being 
made of the same random number R ( = Rl) . 

It should be noted that strictly speaking the number Rl , just as 
the number R2 , need not be a random number: it serves for the 
unequivocal identification of the authentication code MAC1 as response 
to Rl ("challenge"). It is essential only that Rl be not recognisable 
to the card. 

According to Prior Art methods, the authentication codes MAC1 
and MAC 2 are basically independent. This is to say that, if the random 
numbers Rl and R2 differ, there is no direct or indirect relationship 
between the codes MAC1 and MAC2. Due to this independence, there is 
basically no guarantee that the steps I and III are carried out 
between the same card and the same terminal. 

According to the invention , however , when determining the second 
authentication code there is assumed an authentication value which is 
directly related to the authentication value used when determining the 
first authentication code. As a result, a relationship is established 
between the two authentication codes of the transaction in question. 
This relationship is preferably straightforward (e.g. A2 ~ Al + 1) 
allowing a simple check. 

If, e.g., the card receives a (first) random number Rl ' from a 
second terminal after the card has output a first authentication code 
MAC1 to a first terminal, the card will output an authentication code 
MAC2 . If thereupon the first terminal, after outputting a debiting 
command, once again retrieves an authentication code, the card outputs 
a further authentication code MAC3 which is based, inter alia, on the 
further authentication value A3. The terminal will observe that the 
authentication codes MAC1 and MAC3 are not related, and will not be 
capable of using the balance value S3 which was included in the 
authentication code MAC3 . Similarly, an authentication MAC4 , which is 
retrieved by the second terminal, provides no valid authentication and 
therefore no valid balance value. In this manner, the transfer of 
modified balance values to several terminals is effectively prevented. 

The authentication values are preferably formed by consecutive 
numbers, e.g., counter positions. It is also possible, however, to use 
a counter which is increased every other time (second time of 
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generating an authentication value), so that each time two consecutive 
authentication values will be equal. It should be noted that the 
payment means may distinguish between the first and the third steps, 

but need not do so. 
5 The said dependence of the authentication values in accordance 

with the invention ensures that all steps of the transaction in which 
the method according to the invention is applied, take place between 
the same payment means and the same terminal . 

Fig, 3 schematically shows how an authentication code MAC 
10 ("Message Authentication Code"), such as MAC1 and MAC 2 of Fig. 2, may 
be produced. Several parameters are input into a processing means 20 
embodying a function denoted as " F M . This function F may be a 
cryptographical function (such as e.g. the well-known DES function) or 
a so-called "hash" function, both of which are well known in the art. 
15 Alternatively, the function F is a relatively simple combinatorial 

function, in which case the processing means 20 may comprise a shift 
register with selective feedback. The parameters input into the 
processing means 20 and thus into the function F are in the example of 
Fig. 3: a random value R, a card balance S, an authentication value A, 
20 a key K and an initialization vector (start value) Q. The random value 
R corresponds with e.g. the values Rl and R2 transmitted to the card 
in step I and step III respectively. The card balance S corresponds 
with e.g. the balances SI and S2 stored in the card. The key K may be 
a (secret) key which preferably is unique for a specific card or batch 
25 of cards. A key identifier may be exchanged with the terminal in an 
authentication or verification step prior to step I of Fig. 2. 

The initialization vector Q, which initializes the process F, 
may always have a fixed value, e.g. zero. Alternatively, the vector Q 
depends on the residue (final state) of the function F after the 
30 previous step of the transaction. Preferably, the vector Q is reset 
when a new transaction is started. 

The authentication value A is in the example shown generated by 
a counter 21. The counter is preferably increased at each 
interrogation step (e.g. step I and step III), i.e. at each step in 
3 5 which an authentication code (MAC) is produced in response to a random 
number (R) . This results in a different authentication value A being 
used for each authentication code. As the increment (in this case +1, 
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but +2 or +10 are also possible) is predetermined, the terminal is 
able to verify the authentication code. Preferably, the authentication 
value is also transmitted to and verified by the terminal. The counter 
21 is reset when a new transaction is started. 

In the example of Fig. 3, the authentication value A is produced 
by a counter. Alternatively, the counter 21 is replaced by a random 
number generator, which generates a new authentication value A for 
each interrogation step (e.g. steps I and III) of the transaction. In 
this case, the authentication value of the previous step should be 
used as initialization vector ("seed") of the random number generator 
in order to preserve the mutual dependence and reproducibility of the 
authentication values. 

It will be understood that the scheme of Fig. 3 applies to both 
the card and' the terminal. The terminal thus also produces 
authentication values Al, A2 , ... and authentication codes MACl , MAC2 , 
. . . and compares these with the corresponding authentication codes and 
values received from the card. A balance (e.g. S2) will only be 
accepted by Che terminal if the produced and received authentication 
codes and values are equal. 

On the basis of Fig. A, it will be further explained how the 
method according to the invention may be applied to payment cards. 

The diagram of Fig. 4 shows a circuit 100 having a control unit 
101, a memory 102, and an input/output unit 103, which are mutually 
coupled. The control unit may be formed, e.g., by a microprocessor or 
a microcontroller. The memory 102 may comprise a RAM and/or ROM 
memory. The memory 102 preferably comprises a rewritable ROM memory 
(EEPROM) . 

According to the invention, the circuit 100 also comprises a 
supplementary memory 105 for storing authentication values. As shown 
in Fig. 4, said memory 105 may form a separate unit, but may also be 
part of the memory 102 and, e.g., be formed by a few memory positions 
of the memory 102. The memory 105 is preferably formed by a counter 
circuit. Alternatively, a separate counter circuit as shown in Fig. 3 
may be used. 

In a preferred embodiment, consecutive authentication values are 
formed by consecutive counter positions. A first authentication value 
Al, which is used to form the authentication code MACl, corresponds to 
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a position of the counter, as stored in the memory 105. After the 
second step (see also Fig. 2), the counter position is increased by 
one. The initial counter position may be basically random, but may 
also be reset to a predetermined value, e.g. zero. 
5 Generating authentication values occurs autonomously, i.e., 

without (possible) influencing from outside. As a result, the 
resistance to fraud is further increased. 

It will be understood that, instead of each time increasing the 
counter position by one, it may each time be decreased by one. 

10 Likewise, the counter position may each time be increased or decreased 
by more than one, e.g., by two or four. It is also possible to 
construct the circuit 100 in such a manner that the authentication 
value(s) are not modified within a transaction but only between 
transactions. In such a case, the payment station is of course 

15 arranged accordingly. 

A payment station for the application of the invention comprises 
means (such as a card reader) for communicating with a payment means, 
means for carrying out authentications (such as a processor), and 
means for recording balance values (such as a semiconductor memory) . 

20 The payment station is constructed in such a manner that an un- 
successful authentication makes it impossible for a new balance value 
to be recorded. The authentication according to the invention also 
comprises the authentication values. The steps of the method according 
to the invention may be laid down both in equipment (specific circuit, 

25 such as an ASIC) and in software (suitable program for a processor) . 

It will be understood by those skilled in the art that the 
invent ion is no t 1 imi ted to the embodiments shown , and that many 
modifications and amendments are possible without departing from the 
scope of the invention. Thus, the principle of the invention is 

30 described above on the basis of debiting a payment means, but said 
principle may also be applied to crediting payment means. 
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CLAIMS 

1. Method of performing a transaction using payment means (11) and 
a payment station (12), the method comprising the repeated execution 
of an interrogation step (I; III) in which the payment station (12) 
interrogates the payment means (11) and receives payment means data 

5 (e.g. SI; S2) in response, the payment means data comprising an 

authentication code (MAC1 ; MAC2) produced by a predetermined process 
(F), a subsequent authentication code (e.g. MAC2) being linked to a 
preceding authentication code (MAC1) of the same transaction by an 
authentication value (e.g. A2) produced in both the payment means (11) 
10 and the payment station (12). 

2. Method according to claim 1, wherein the authentication value 
(e.g. Al) is altered in each interrogation step (e.g. I). 

3. Method according to claim 1 or 2 , wherein the process (F) 
involves a key (K) . 

15 4. Method according to claim 1 r 2 or 3 t wherein the process (F) 

involves a random value (e.g. R2) produced by the payment station (12) 
and a payment means balance (e.g. S2) . 

5. Method of protectedly debiting an electronic payment means (11) 
using a payment station (12) , the method comprising: 
20 - a first step (I), in which: 

the payment station (12) transfers a first random number (Rl) to 

the payment means (11) , 

the payment means (11), in response to said first random number 
(Rl) , transfers a first authentication code (MAC1) to the 
25 payment station (12) , which first authentication code (MAC1) is 

determined on ':he basis of at least the first random number (PI) 
and a first authentication value (Al) t and 

the payment station (12) checks the first authentication code 
(MAC1) ; 

30 - an optional second step (II), in which: 

the payment station (12) transfers a debiting command (D) to the 
payment means (11) and the balance (SI) of the payment means is 
lowered on the basis of the debiting command; and 
- a third step (III), in which: 

35 - the payment station (12) transfers a second random number (R2) 

to the payment means (11), 
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the payment means (11), in response to said second random number 
(R2), transfers a second authentication code (MAC2) to the 
payment station (12), with the second authentication code being 
determined on the basis of at least the second random number 
5 (R2) and a second authentication value (A2) , the second 

authentication value (A2) being derived from the first 
authentication value (Al) , and 

the payment station (12) derives the second authentication value 
(A2) from the first authentication value (Al) and checks the 
10 second authentication code (MAC2) . 

6. Method according to claim 5, wherein the first and second 
authentication values (Al , A2) are identical. 

7. Method according to claim 5, wherein the first and second 
authentication values (Al, A2) comprise consecutive counter values. 

!5 8, Method according to claim 5, wherein an authentication value 
(e.g. A2) is each time formed on the basis of a random number (e.g. 
R2) and the previous authentication value (Al) . 

9. Method according to any of the preceding claims, wherein an 
authentication code (e.g. MAC2) is also determined on the basis of a 

20 key (K) and an identification code. 

10. Method according to any of the preceding claims, wherein an 
authentication code (e.g. MAC1) is determined with the aid of a 
cryptographic function (F) . 

11. Method according to any of the preceding claims, in which in the 
25 first and third steps (I, III) the payment means (11) transfers a 

balance (e.g. SI) to the payment station (12). 

12. Method according to any of the preceding claims, in which in the 
first and third steps (I, III) the payment means (11) transfers the 
current authentication value (e.g. Al) to the payment station (12). 

30 13. Method according to any of the preceding claims, in which the 
third step (III) is carried out repeatedly. 

14. Method according to any of the preceding claims, further 
comprising a fourth step (IV) wherein the difference (S1-S2) between 
the balances of the first and third steps is recorded in the payment 

35 station (12) . 

15. Method according to any of the preceding claims, wherein the 
first random number (Rl) is equal to the second random number (R2). 
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16. Method according to any of the preceding claims, wherein the 
payment station (12) comprises a module for protectedly recording 
data . 

17. Financial transaction, carried out by applying the method 
5 according to any of the preceding claims. 

18. Electronic payment means (11), comprising an integrated circuit 
having processing means (101) , a memory (102) and an input/output 
circuit (103), arranged for implementing the method according to any 
of the claims 1 to 16 inclusive. 

10 19. Payment station (12), arranged for application of the method 
according to any of the claims 1 to 16 inclusive. 
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